Avatar photo


Author Bio ▼

Adam Bannister is a contributor to IFSEC Global, having been in the role of Editor from 2014 through to November 2019. Adam also had stints as a journalist at cybersecurity publication, The Daily Swig, and as Managing Editor at Dynamis Online Media Group.
May 15, 2019


Lithium-Ion batteries. A guide to the fire risk that isn’t going away but can be managed

"unprecedented security flaw"

WhatsApp spyware breach: Cybersecurity experts respond

WhatsApp has discovered a serious vulnerability in its messaging app, allowing hackers to remotely install surveillance software on phones and other devices.

The Facebook-owned company said the attack was focused on a “select number” of users and directed by “an advanced cyber-actor”.

A fix was rolled out on Friday, but WhatsApp advised its 1.5 billion users to update their apps as an added precaution.

How exposed are users – accounting for a staggering 28% of the global population – and what financial and reputational damage awaits WhatsApp? Did it respond decisively enough and appropriately?

We’ve published responses from a number of cybersecurity experts below.

It’s impressive that WhatsApp discovered this attack at all: Chris Boyd, Malwarebytes

This attack is enormously worrying for anyone using WhatsApp on a phone alongside sensitive information.

Even without that, access to camera and microphone is a major privacy concern and everybody should upgrade to the newest version as soon as possible.

The really impressive thing here is that the WhatsApp team discovered this attack at all, given no click to install is required.

Chris Boyd is Malware Intelligence Analyst at Malwarebytes

WhatsApp’s ‘end-to-end-encryption’ badge is no guarantee that communications are secure: Mike Campin, Wandera

This new type of attack is deeply worrying and shows how even the most trusted mobile apps and platforms can be vulnerable. While this attack is based on a previously identified exploit known as Pegasus, the fact that it has been repackaged into a form that can be delivered via a simple WhatsApp call has shocked many.

While WhatsApp is not typically used as an official corporate messaging application, it is used widely internationally on both employees’ personal devices as well as on corporate-issued devices, and once exploited via this new attack, the attacker has complete control and visibility of all data on the phone.

IT teams have an urgent job to do today. First, they need to take inventory of how many of their users are currently running an outdated version of WhatsApp on their devices to assess potential vulnerabilities.

They need to instruct all their staff to update to the latest versions of WhatsApp, which were released on the App Store and Google Play on 10 May 2019. Then, they need to revisit their policies on which apps their employees can use for work purposes, whether that be on their own personal smartphones or corporate-issued devices.

Bear in mind that this isn’t the first time WhatsApp’s security has been brought into question. We’ve seen recent incidents of ‘whishing’ – phishing messages over WhatsApp – that have been launched to dupe users.

WhatsApp’s ‘end-to-end-encryption’ badge certainly shouldn’t be mistaken as a guarantee that communications are secure.

Mike Campin is VP Engineering, Wandera

Serious legal ramifications are foreseeable: Ilia Kolochenko, ImmuniWeb Inc

That such a vulnerability can be exploited remotely in a default configuration is extremely critical and alarming. It is an unprecedented security flaw in terms its potential to run high-profile targeted attacks.

WhatsApp is so popular that virtually everyone is a potential victim. Worse, today, access to someone’s smartphone likely provides access to much more sensitive information than access to a computer for example. The ability to track the victim in real time, to listen to a device’s microphone and read instant communications are all a golden-mine for cybercriminals.

Rumours about such security flaws were circulating since a while already, but few people took them seriously. All corporate users of WhatsApp should urgently launch forensics on their mobile devices to verify whether they were compromised and back-doored.

I think this security incident will cause irreparable damage to Facebook’s reputation, as people are fed up seeing their data being sold, leaked and hacked. Serious legal ramifications are also foreseeable.

Ilia Kolochenko is founder, CEO and chief architect, ImmuniWeb Inc

This attack needed no interaction from the victim: Javvad Malik, KnowBe4

Cybercriminals or state actors will typically follow the users. With WhatsApp being such a popular communication tool around the world, it is no surprise that it would make such an appealing target.

It doesn’t appear as if masses of users were victims of this attack; rather, the vulnerability was exploited to infect specific individuals in a more targeted attack.

The worrying thing about this attack was that it needed no interaction from the victim. A WhatsApp phone call would infect the user, even if they didn’t answer it. While there is not much the average user can do in this situation, for high profile individuals, or those working with sensitive information, it becomes important to evaluate downloaded apps, and indeed the functionality of a smartphone as a whole.

Flaws can exist in every software, but kudos to the WhatsApp team for their rapid turnaround and releasing of a fix.

Javvad Malik is Security Awareness Advocate, KnowBe4

The packet execution forces WhatsApp’s internal buffer to overflow, overwriting security: Daniel Follenfant, NTT Security

The hacking of WhatsApp’s messaging service is a classic example of a Buffer overflow attack.

Buffer overflows aren’t new, but you don’t often see them these days and this attack is particularly clever because it uses this flaw to gain access to a phone without the user even answering.

In its simplest form Buffer overflows are a way of writing code to an area of the application in memory that will then be executed. The WhatsApp exploitation resonates the classic but more sophisticated buffer flow attack.

To carry this out the attacker had to deceive the receiver by making a call and then send the sending packets of data during the process of the call- once the packers transfer are complete; the packet execution forces whatsApp’s internal buffer to overflow, overwriting the apps security and allows surveillance capability on encrypted chat, eaves drop on calls and microphone and control the camera.

There is nothing you can do about this; it is a design flaw and WhatsApp has quickly addressed the problem by releasing a patch for applications already running and the new versions do not appear to be susceptible.

Our advice to users is to check that you are not running a susceptible application by checking the version number running “The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15. If you are unable to locate the version or are worried then backup your messages, completely remove WhatsApp and reinstall from the latest version on the relevant App Store.

This was a very coordinated attack developed by NSO group who in the past have been able to breach phone security with its famous Spyware Pegasus software and we urge all users to update their WhatsApp application.

Daniel Follenfant is senior manager, penetration testing, consulting services, at NTT Security

Related Topics

Notify of
Inline Feedbacks
View all comments